cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: EPSV vs PASV

From: Michael Wood <esiotrot_at_gmail.com>
Date: Sat, 5 Feb 2011 22:16:18 +0200

Hi

On 5 February 2011 21:23, Leo <leo.r_at_rogers.com> wrote:
[...]
> -About 15 servers that don't like EPSV were reported. curl tries to connect
> with EPSV, then switches to PASV after a 75 sec wait and either fails (as in
> my previous example) or connects. If EPSV is disabled, curl connects with no
> problems.
>
> Here's an example of successful connection after waiting 75 sec and
> switching to PASV:
>
> * About to connect() to 145.243.189.65 port 21 (#0)
> *   Trying 145.243.189.65... connected
> * Connected to 145.243.189.65 (145.243.189.65) port 21 (#0)
[...]
>> EPSV
> * Connect data stream passively
> < 229 Entering Extended Passive Mode (|||24440|)
>
> <75 sec wait>
>
> *   Trying 145.243.189.65... Operation timed out
> * couldn't connect to host
> * got positive EPSV response, but can't connect. Disabling EPSV
>> PASV
> < 227 Entering Passive Mode (145,243,189,65,131,198)
> *   Trying 145.243.189.65... connected
[...]

This looks like there's some sort of NAT device or firewall that
understands how to deal with "227 Entering Passive Mode
(145,243,189,65,131,198)" from the server, but doesn't understand how
to deal with "229 Entering Extended Passive Mode (|||24440|)". The
server itself clearly doesn't have a problem with EPSV.

> -One server that does exactly the opposite: it doesn't accept PASV. curl can
> only connect with EPSV enabled. I know that this server is behind a small
> Firewall and it's Windows 2008 64 bit Microsoft FTP Service from IIS 7 (if
> it makes any difference).
>
> Here's a log of connection attempt with EPSV disabled:
>
> * About to connect() to www.xeen3d.de port 21 (#0)
> *   Trying 87.193.152.189... connected
> * Connected to www.xeen3d.de (87.193.152.189) port 21 (#0)
[...]
>> PASV
> * Connect data stream passively
> < 227 Entering Passive Mode (87,193,152,189,19,141).
>
> <75 sec wait>
>
> *   Trying 87.193.152.189... Operation timed out
> * couldn't connect to host

Again here the server seems happy with PASV, but the firewall/NAT
device doesn't like it.

> -Other FTP clients I tried (Cyberduck and Transmit) connect to all sites
> with no problems.

Well, it seems unlikely to me that Cyberduck and Transmit both know in
advance whether the firewalls and/or NAT devices between you and an
arbitrary server will allow PASV vs. EPSV to work, so they must not be
using either PASV or EPSV, but rather active mode FTP (i.e. the PORT
command.) Of course the PORT command can also fail in exactly the
same way if there are broken firewalls or NAT devices between you and
the server, so I don't see how there can be any universally correct
answer to your problem.

Have you tried "--ftp-port -" with the servers you need to talk to?
Are you always running this from the same client or are multiple
clients involved? If multiple clients are involved, then the firewall
on the client becomes more important when using --ftp-port, because
the server will have to make a connection back to the client and the
client's firewall might not allow the incoming connection from the
server.

> I'm on Mac OS X 10.5.8, still with libcurl 7.16.3 - but from what Daniel
> said I understand that later versions wouldn't change anything in this area.
>
> So is there a way to make curl choose the correct method (EPSV/PASV)
> automatically?

No, I don't think so. If the server rejected EPSV or PASV then
libcurl could know immediately that there was a problem and switch to
the other one (or maybe to PORT). Because this problem is caused by
something in between the client and the server and the only way to
know it didn't work is to try and wait for a certain amount of time
before giving up, there's no correct answer.

You could try contacting the people who look after the network where
each server lives and convince them that there is a problem and hope
they fix it. You could also try using --ftp-port and see if that
helps. Otherwise you could build up a list of known servers and the
options that are known to work with them and then be prepared to
update that list when things change. You could perhaps update the
list automatically if you detect a timeout with EPSV for a particular
server and that PASV works for example.

> Am I missing something? (BTW, the same question applies to
> choosing between passive and active mode).

Indeed :)

> I LOVE curl, but obviously I want to understand why I can't achieve
> something that other FTP clients can - and if I can achieve this, then what
> am I doing wrong?

Well in order to answer that question, it is necessary to find out
what these other FTP clients are doing differently. Perhaps you can
capture the network traffic between the client and server when running
these other FTP clients and use Wireshark to see what they do
differently from libcurl.

-- 
Michael Wood <esiotrot_at_gmail.com>
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette:  http://curl.haxx.se/mail/etiquette.html
Received on 2011-02-05